DP4400: ESXi does not allow root user to login and shows the following message in the ESXi UI: Remote access for ESXi local user account 'root' has been locked for 900 seconds after <X> failed login attempts.

           

   Article Number:     530682                                   Article Version: 2     Article Type:    Break Fix 
   

 


Product:

 

Integrated Data Protection Appliance Family,Integrated Data Protection Appliance 2.2

 

Issue:

 

 

DP4400 version 2.2       
       
        ESXi UI shows:
   
        

      root_user_locked_in_ESXi     
          
   
      ACM's server.log shows      
          
   
      [Timer-2]-util.SSHUtil: Creating session using SSH parameters:      Host     : [<ESXi_IP>]     User     : [root]     Password : [**************]         
          INFO  [Timer-2]-util.SSHUtil: Connecting to host [<ESXi_IP>] using provided credentials.         
          INFO  [Timer-2]-util.SSHUtil: Failed to connect session.         
          ERROR [Timer-2]-snmp.PTAgentManager: validatePTAgentService --> Error occured while checking DellPTAgent service status on ESXi          
          com.jcraft.jsch.JSchException: Auth fail         
              at com.jcraft.jsch.Session.connect(Session.java:512)         
              at com.emc.vcedpa.common.util.SSHUtil.createSession(SSHUtil.java:803)         
              at com.emc.vcedpa.common.util.SSHUtil.executeSshCommand(SSHUtil.java:420)         
              at com.emc.vcedpa.common.util.SSHUtil.executeSshCommand(SSHUtil.java:388)         
              at com.emc.vcedpa.common.util.SSHUtil.executeSshCommand(SSHUtil.java:365)         
              at com.emc.vcedpa.healthmonitor.snmp.PTAgentManager.validatePTAgentService(PTAgentManager.java:123)         
              at com.emc.vcedpa.healthmonitor.snmp.PTAgentManager.validatePTAgent(PTAgentManager.java:83)         
              at com.emc.vcedpa.healthmonitor.snmp.PTAgentManager.validateAndConfigurePTAgent(PTAgentManager.java:62)         
              at com.emc.vcedpa.healthmonitor.snmp.SNMPValidator.validateAndConfigureSNMPOnServers(SNMPValidator.java:102)         
              at com.emc.vcedpa.healthmonitor.snmp.SNMPValidator.run(SNMPValidator.java:90)         
              at java.util.TimerThread.mainLoop(Timer.java:555)         
              at java.util.TimerThread.run(Timer.java:505)
     
     
          
   
      Note 1: This article only applies to the DP4400, if it is a different IDPA appliance please use the following KB: http://support.emc.com/kb/527805         
          Note 2: In the DP4400 customer should only connect to ESXi as idpauser user. ESXi's root account is considered internal and the password is not available to customers.
     
          
                                                             

 

 

Cause:

 

 

The root account in ESXi is locked for 900 seconds If it is accessed several times using an incorrect password. This account will not be unlocked automatically because ACM access the root account every 900 seconds and that usually happens before the account is unlocked causing the account to be locked for another 900 seconds. This happens even though at this point ACM is using the correct password. This cycle of ACM accessing ESXi root account and ESXi extending the locking time will continue indefinitely unless ACM's dataprotection_webapp is stopped for 900 seconds.   
     
                                                           

 

 

Resolution:

 

 

   

         
  •         Open a SSH session to ACM      
  •      
  •         Shutdown Webapp service     
  •    
   
      service dataprotection_webapp stop   
   
         
  •         Wait for 900 seconds     
  •    
   
      At the ssh prompt just type: sleep 900         
          and wait for the sleep command to finish
   
   
         
  •         Start Webapp Service     
  •    
   
      service dataprotection_webapp start     
     
          
Note: This problem will not happen in DP4400 version 2.3 or later